cross-frame-scripting – WindowsTechs.com

Auth Token not included in CORS exploit

Posted on December 14, 2022 by Abhinav Kumar

I have found a CORS on a website but when I am trying to exploit it for a POC it is fetching all the cookies except auth cookies and due to that I am getting an error message to "User not logged In"

CORS Exploit Request

Continue reading Auth Token not included in CORS exploit→

Is "Math.random" the same as "crypto.getRandomValues" (JavaScript security)

Posted on November 12, 2021 by Parking Master

This question may be a little off-topic, but is Math.random the same as crypto.getRandomValues? (JavaScript)
Here’s an example:
Math.random(); // 0.11918419514323941
self.crypto.getRandomValues(new Uint32Array(10))[0]; // 2798055700

(Usin… Continue reading Is "Math.random" the same as "crypto.getRandomValues" (JavaScript security)→

How to create a secure embeddable HTML form?

Posted on April 24, 2021 by Luciano

I have an https website and I want to let other websites embed one of the pages on my website that lets users of my service log in and submit a form, similar to Paypal’s payment iframe or Plaid’s Link. Many such services exist, and from wh… Continue reading How to create a secure embeddable HTML form?→

How should I configure NoScript to allow payment verfication systems

Posted on April 18, 2020 by ianinini

I use NoScript as a Firefox extension. I generally have scripts blocked, and manually allow scripts from the main site only if I find I can’t do what I need to. (Sometimes I also have to allow scripts from secondary sites, but usually I ca… Continue reading How should I configure NoScript to allow payment verfication systems→

Is it okay to only provide clickjacking protection on the login page?

Posted on September 11, 2019 by Bhuvanesh Kumar

I have a question about Clickjacking.

The question is quite simple. Imagine a login flow like this:

You visit the application login page, eg https://example.com/login.html. There is no Clickjacking protection (i.e. the X-… Continue reading Is it okay to only provide clickjacking protection on the login page?→

Can a javascript on parent page log keystrokes inside an iframe?

Posted on August 14, 2019 by hax

I am trying to analyze the possibility of accessing keystrokes from an iframe using a javascript running on the parent page. The potential attack which I am looking to verify is Cross Frame Scripting.

From the OWASP page, I read that the … Continue reading Can a javascript on parent page log keystrokes inside an iframe?→

How does one exploit cross scripting?

Posted on April 19, 2018 by TrevorKS

In my computer science class, my professor provided the following example…

Normally, a user would provide a link by typing the following in chatroom…

[Example Website](https://example.com)

And receive a output of…

… Continue reading How does one exploit cross scripting?→

Loading a logged in page in an iframe

Posted on March 27, 2018 by SleepyLord

Suppose www.youtube.com have no X-Frame-Options set.

Imagine I’m already logged in to YouTube. Now from another web page in the same browser I’m loading YouTube in an iframe, will the browser send all the auth-cookies to the… Continue reading Loading a logged in page in an iframe→

Is window.postMessage origin check important for “stateless” iframe application?

Posted on January 12, 2018 by Tirithen

So I’m creating a service that will be embedded in iframes and with web views like JxBrowser, the parent site will be able to pass in private input data with window.postMessage and receive back message events with private out… Continue reading Is window.postMessage origin check important for “stateless” iframe application?→

X-Frame-Options Absent but cant load the page in iframe

Posted on May 13, 2017 by one

I am trying to find the reason that a certain webpage is not getting iframed even when X-Frame-Options header is absent.
Observation:
When I write an HTML with iframe tag pointing to the URL and save this file locally and ope… Continue reading X-Frame-Options Absent but cant load the page in iframe→